7 No debuggers shall be present on the file system. This includes, but is not
8 limited to, the GNU Debugger client/server (commonly known in their short form
9 names such as the `gdb` and `gdbserver` executable binaries respectively), the
10 `LLDB` next generation debugger or the `TCF` (Target Communications Framework)
11 agnostic framework. Including these binaries as part of the file system will
12 facilitate an attacker's ability to reverse engineer and debug (either locally
13 or remotely) any process that is currently executing on the device.
15 ## Kernel debug symbols
17 Debug symbols should always be removed from production kernels as they provide a
18 lot of information to attackers.
20 <!-- section-config -->
22 Domain | `Config` name | `Value`
23 ---------------------- | ------------------- | -------
24 Kernel-Debug-Symbols-1 | `CONFIG_DEBUG_INFO` | `n`
26 <!-- end-section-config -->
28 These kernel debug symbols are enabled by other config items in the kernel. Care
29 should be taken to disable those also. If `CONFIG_DEBUG_INFO` cannot be
30 disabled, then enabling `CONFIG_DEBUG_INFO_REDUCED` is second best.
34 At least `CONFIG_DEBUG_INFO_REDUCED` should be always enabled for developers to
35 convert addresses in oops messages to line numbers.
37 <!-- end-section-note -->
39 --------------------------------------------------------------------------------
43 Kprobes enables you to dynamically break into any kernel routine and collect
44 debugging and performance information non-disruptively. You can trap at almost
45 any kernel code address, specifying a handler routine to be invoked when the
48 <!-- section-config -->
50 Domain | `Config` name | `Value`
51 ---------------------- | ---------------- | -------
52 Kernel-Debug-Kprobes-1 | `CONFIG_KPROBES` | `n`
54 <!-- end-section-config -->
56 --------------------------------------------------------------------------------
60 FTrace enables the kernel to trace every kernel function. Providing kernel trace
61 functionality would assist an attacker in discovering attack vectors.
63 <!-- section-config -->
65 Domain | `Config` name | `Value`
66 ---------------------- | --------------- | -------
67 Kernel-Debug-Tracing-1 | `CONFIG_FTRACE` | `n`
69 <!-- end-section-config -->
71 --------------------------------------------------------------------------------
75 Profiling and OProfile enables profiling the whole system, include the kernel,
76 kernel modules, libraries, and applications. Providing profiling functionality
77 would assist an attacker in discovering attack vectors.
79 <!-- section-config -->
81 Domain | `Config` name | `Value`
82 ------------------------ | ------------------ | -------
83 Kernel-Debug-Profiling-1 | `CONFIG_OPROFILE` | `n`
84 Kernel-Debug-Profiling-2 | `CONFIG_PROFILING` | `n`
86 <!-- end-section-config -->
88 --------------------------------------------------------------------------------
90 ## Disable OOPS print on BUG()
92 The output from OOPS print can be helpful in Return Oriented Programming (ROP)
93 when trying to determine the effectiveness of an exploit.
95 <!-- section-config -->
97 Domain | `Config` name | `Value`
98 ------------------------ | ------------------------- | -------
99 Kernel-Debug-OOPSOnBUG-1 | `CONFIG_DEBUG_BUGVERBOSE` | `n`
101 <!-- end-section-config -->
103 --------------------------------------------------------------------------------
105 ## Disable Kernel Debugging
107 There are development-only branches of code in the kernel enabled by the
108 `DEBUG_KERNEL` conf. This should be disabled to compile-out these branches.
110 <!-- section-config -->
112 Domain | `Config` name | `Value`
113 ------------------ | --------------------- | -------
114 Kernel-Debug-Dev-1 | `CONFIG_DEBUG_KERNEL` | `n`
115 Kernel-Debug-Dev-2 | `CONFIG_EMBEDDED` | `n`
117 <!-- end-section-config -->
119 In some kernel versions, disabling this requires also disabling
120 `CONFIG_EMBEDDED`, and `CONFIG_EXPERT`. Disabling `CONFIG_EXPERT` makes it
121 impossible to disable `COREDUMP`, `DEBUG_BUGVERBOSE`, `NAMESPACES`, `KALLSYMS`
122 and `BUG`. In which case it is better to leave this enabled than enable the
125 --------------------------------------------------------------------------------
129 ## Disable the kernel debug filesystem
131 The kernel debug filesystem presents a lot of useful information and means of
132 manipulation of the kernel to an attacker.
134 <!-- section-config -->
136 Domain | `Config` name | `Value`
137 ------------------------- | ----------------- | -------
138 Kernel-Debug-FileSystem-1 | `CONFIG_DEBUG_FS` | `n`
140 <!-- end-section-config -->
142 --------------------------------------------------------------------------------
144 ## Disable BUG() support
146 The kernel will display backtrace and register information for BUGs and WARNs in
147 kernel space, making it easier for attackers to develop exploits.
149 <!-- section-config -->
151 Domain | `Config` name | `Value`
152 ------------------ | ------------- | -------
153 Kernel-Debug-BUG-1 | `CONFIG_BUG` | `n`
155 <!-- end-section-config -->
157 --------------------------------------------------------------------------------
159 ## Disable core dumps
161 Core dumps provide a lot of debug information for hackers. So disabling core
162 dumps are recommended in production builds.
164 This configuration is supported in **Linux 3.7 and greater** and thus should
165 only be disabled for such versions.
167 <!-- section-config -->
169 Domain | `Config` name | `Value`
170 ------------------------ | ----------------- | -------
171 Kernel-Debug-CoreDumps-1 | `CONFIG_COREDUMP` | `n`
173 <!-- end-section-config -->
175 --------------------------------------------------------------------------------
179 ## Kernel Address Display Restriction
181 When attackers try to develop "run anywhere" exploits for kernel
182 vulnerabilities, they frequently need to know the location of internal kernel
183 structures. By treating kernel addresses as sensitive information, those
184 locations are not visible to regular local users.
186 **/proc/sys/kernel/kptr_restrict is set to "1"** to block the reporting of known
187 kernel address leaks.
189 <!-- section-config -->
191 Domain | `File` name | `Value`
192 ---------------------------- | -------------------------------- | -------
193 Kernel-Debug-AdressDisplay-1 | `/proc/sys/kernel/kptr_restrict` | `1`
195 <!-- end-section-config -->
197 Additionally, various files and directories should be readable only by the root
198 user: `/boot/vmlinuz*`, `/boot/System.map*`, `/sys/kernel/debug/`,
201 <!-- section-config -->
203 Domain | `File` or `Directorie` name | _State_
204 ---------------------------- | --------------------------- | -----------------------------
205 Kernel-Debug-AdressDisplay-1 | `/boot/vmlinuz*` | _Readable Only for root user_
206 Kernel-Debug-AdressDisplay-2 | `/boot/System.map*` | _Readable Only for root user_
207 Kernel-Debug-AdressDisplay-3 | `/sys/kernel/debug/` | _Readable Only for root user_
208 Kernel-Debug-AdressDisplay-4 | `/proc/slabinfo` | _Readable Only for root user_
210 <!-- end-section-config -->
212 --------------------------------------------------------------------------------
214 ## DMESG Restrictions
216 When attackers try to develop "run anywhere" exploits for vulnerabilities, they
217 frequently will use `dmesg` output. By treating `dmesg` output as sensitive
218 information, this output is not available to the attacker.
220 **/proc/sys/kernel/dmesg_restrict can be set to "1"** to treat dmesg output as
223 <!-- section-config -->
225 Domain | `File` name | `Value`
226 -------------------- | --------------------------------- | -------
227 Kernel-Debug-DMESG-1 | `/proc/sys/kernel/dmesg_restrict` | `1`
229 <!-- end-section-config -->
231 Enable the below compiler and linker options when building user-space
232 applications to avoid stack smashing, buffer overflow attacks.
234 --------------------------------------------------------------------------------
238 ## Disable /proc/config.gz
240 It is extremely important to not expose the kernel configuration used on a
241 production device to a potential attacker. With access to the kernel config, it
242 could be possible for an attacker to build a custom kernel for the device that
243 may disable critical security features.
245 <!-- section-config -->
247 Domain | `Config` name | `Value`
248 --------------------- | ----------------- | -------
249 Kernel-Debug-Config-1 | `CONFIG_IKCONFIG` | `n`
251 <!-- end-section-config -->